Vigil@nce - F5 BIG-IP: information disclosure via APM Logs
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can read APM logs on F5 BIG-IP, in order
to obtain sensitive information.
Impacted products: BIG-IP Hardware, TMOS.
Severity: 2/4.
Creation date: 11/08/2016.
DESCRIPTION OF THE VULNERABILITY
The F5 BIG-IP product offers an Access Policy Manager service.
However, an authenticated attacker can use the Configuration
utility to read APM logs, which may contain passwords.
An authenticated attacker can therefore read APM logs on F5
BIG-IP, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/F5-BIG-IP-information-disclosure-via-APM-Logs-20367